CoreView's Use of Administrative Credentials
Modified on Tue, 06 Dec 2022 at 08:09 AM
Categories
-
What's New
-
Release Information
- CoreView Release Notes May 2023
- CoreView Release Notes April 2023
- CoreView Release Notes March 2023
- CoreView Release Notes February 2023
- CoreView Release Notes January 2023
- CoreView December 2022 Release Notes
- CoreView November 2022 Release Notes
- CoreView October 2022 Release Notes
- September 2022 Release Notes
- August 2022 Release Notes
- Release 22.06 Key Features
- Release 22.05 Key Features
- Release 22.04 Key Features
- Release 22.03 Key Features
- Release 22.01 Key Features
- Release 21.12 Key Features
- Release 21.11 Key Features
- Release 21.10 Key Features
- Release 21.09 Key Features
- Release 21.08 Key Features
- Release 21.07 Key Features
- Release 21.05 Key Features
- Release 21.04 Key Features
- Release 21.03 Key Features
- Release 21.02 Key Features
- Release 21.01 Key Features
- Release 20.12 Key Features
- Release 20.11 Key Features
- Release 20.10 Key Features
- Release 20.09 Key Features
-
Release Information
- Getting Started with Customer Care
-
Getting Started with CoreView
-
Configuring
- Configuration Overview (New UX)
- Configuration Overview
- Creating CoreView Tenant Administrators (New UX)
- Creating CoreView Tenant Administrators
- CoreView Operator Uses Cases & Dependencies
- Creating a License Pool
- Understanding Virtual Tenants
- Frequently Asked Configuration Questions
- "Send As" DNS Requirements for CoreAdoption Campaigns (Optional)
- How to enforce MFA on CoreView service accounts
- Creating a License Pool
-
A Quick Tour of CoreView
- A Quick Tour of the CoreView Interface
- Introducing the CoreView New User Experience
- CoreView New UX FAQ
- CoreView Dashboards
- Using CoreView Reports
- How to use CoreView Management Actions (New UX)
- How to use CoreView Management Actions
- Understanding CoreView Releases
- Creating your first Workflow - A Practical Exercise
- Introducing the new site for Partner customer management
-
Configuring
-
How to
-
Exchange Online
- How to check and analyze the Message Trace
- How To Configure Email Forwarding
- How to convert a Shared Mailbox to a User Mailbox
- How to convert a user mailbox to a shared mailbox in Exchange Online
- How to Create Microsoft 365 Groups for Improved Collaboration
- How To Create Shared Mailbox
- How To Create User Mailbox
- How To Grant Access To Mailbox
- How to List all the Mailboxes a User has access to in Microsoft 36
- How to remove delegates from Mailbox
- How to remove user access to Mailbox
- How to review and manage Exchange online mailbox permissions
- How to verify if a user has updated the Password
- Read Permission for Mailbox
- What are security groups and How to create it
- What is a Distribution Group and How to create it
-
Exchange Online
- Custom Actions Library
- Getting Started with CoreHybrid
-
Knowledge Resources
-
Understanding CoreView - Quick Start Guides.
- CoreView Quick Start Guide Overview and Index - Tenant Admins
- CoreView Quick Start Guide Overview and Index - Operators
- Understanding CoreView Tenant Configuration – Management
- Understanding the CoreView Operator Profile
- Understanding CoreView Operator Roles
- Understanding CoreView Operator Delegation
- Understanding CoreView - Report Column Filtering
- Understanding CoreView - The User Interface
- Understanding CoreView Tenant Configuration - V-Tenant User Filters
- Understanding CoreAdoption – Templates and Campaigns
- Understanding CoreLearning - Content Hierarchy
- Understanding CoreView Tenant Configuration - Portal Information
- Understanding CoreView Tenant Configuration - CoreLearning
- Understanding CoreView Tenant Configuration Options
-
Troubleshooting Common Issues
- Unable to see OneDrive, SharePoint and Exchange Data (New UX)
- Unable to see OneDrive, SharePoint and Exchange Data
- Remote Office 365 PowerShell session can Conflict CoreView Management Actions
- Why I cannot save the changes on existing License pool?
- Error when attempting to perform a Management Action (New UX)
- Error when attempting to perform a Management Action
- Unable to modify the Assigned Licenses in my License Pool Report
- Enabling Permission for Endpoint Manager Actions (New UX)
- Enabling Permission for Endpoint Manager Actions
- How to enable permission for BitLocker keys report (New UX)
- How to enable permission for BitLocker keys report
-
Tenant Administration
- How to recreate Admins Read-only (New UX)
- How to recreate Admins Read-only
- How to add an operator to the portal?
- How to enable and configure CoreView management session (New UX)
- How to enable and configure CoreView management session Current UX
- How to provide a consent to activate Azure AD Reports Feature and activate Partial Import?
- Tips & Tricks: Leverage Pivot Reports to Prototype License Pool Criteria Filter
- Tips & Tricks - How to manage email notifications for newly added Operators.
- Disable MFA from Read Only Service Accounts
- How To: Report on "Consumed Portal Licenses" (New UX)
- How To: Report on "Consumed Portal Licenses"
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- Tips & Tricks: How to merge License Pools
- How to Use CoreView's Global Report Filters
- How to use the What If tool to check Azure AD conditional access policies
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- How to Archive a Teams Group
- How to Restore a Teams Group
- On-demand Import for a Single Device in Endpoint Manager (Intune)
- Custom Actions using the Microsoft Graph API
- How to set up your tenant for the switch to Microsoft Graph API
- GraphAPI configuration: How to get Client ID and Client Secret
-
Reporting and Analytics
- How do I Check and Manage Calendar Permissions for a User? (newUX)
- How CoreView can help you with your Microsoft 365 Chargeback Goals.
- New UX: Understanding the new License Centers
- Understanding the Savings Opportunities Dashboard
- Understanding the License Optimization center
- Understanding License Pool Snapshots report
- Understanding Call quality dashboard
- Understanding Call quality report
- Understanding User call quality report
- Understanding Teams groups activity report
- Understanding Teams Adoption Growth Report
- Understanding Endpoint Manager reports
- Understanding Teams dashboard
- Understanding Risky Users report
- Understanding KPI dashboard
- Understanding Storage Dashboard
- Troubleshoot Active Users (License Usage) data
- Legacy Protocol Management
- Report Columns: Is active 30/60/90
- Quarantined Messages Report - Understanding The Reports
-
Managing and Administration
- Teams Voice: Direct Routing Support
- How to enable management function?
- CoreView Playbooks Overview
- CoreView Playbook Policy Overview
- Forward SMTP Address vs Forward Address management actions
- How to add the users in bulk while executing Users management actions?
- How to Create & Manage Custom Actions (New UX)
- How to Create & Manage Custom Actions
- How to schedule a report to be sent automatically, and how to modify its scheduling options?
- How to schedule an alert report for the License Count
- Tips & Tricks – How to read and modify license pool report?
- Overview of CoreView Workflow
- How to delegate Workflow management using roles
- How to configure CoreView and ServiceNow integration
- How to Enable Multi Factor Authentication for Operators and Admins who Access the CoreView Portal (New UX)
- How to Enable Multi Factor Authentication for Operators and Admins who Access the CoreView Portal
- How Can I Migrate from Group-Based Licenses to Direct Licenses Managed by CoreView?
- Naming convention rules
- Custom Actions: Forbidden and Warning Values
- How to add users to Distribution Group in bulk using via CSV
- Not able to manage licenses error (New UX)
- Not able to manage licenses error
- Using custom action json output as an input in the workflow
- Setting the Sensitivity Label on SharePoint as a Mandatory Field
- DistinguishedName vs OnPremisesDistinguishedName
-
Customer Engineering Workshop
- Migrating from Azure Group Based Licensing to CoreView
- Customer Engineering Workshop - Teams Voice
- Customer Engineering Workshop - Playbooks – policy, perfected
- New UX Workshop - General Overview Session 2
- New UX Workshop - General Overview Session 1
- What’s new in License reporting – the new user interface and the License Center
- CoreView and ServiceNow – Integrating Workflows with ServiceNow
- Advanced Workflows & Custom Actions
- Customer Engineering Workshop: Reports, Dashboards, and Alerts
- Limiting M365 Admin Access with Permission Roles, V-tenants, and License Pools
- Customer Engineering Workshop Global - Group Licensing with CoreView
- Customer Engineering Workshop Global - Filters and Custom Actions
-
Understanding CoreView - Quick Start Guides.
- Internal Customer Care Resources
- Service Issues
-
CoreView Product Manual
-
Analyze
- Dashboards
- KPI Dashboard
- Operational Reports
- License Reports
- User Reports
- Mail Traffic Reports
- Exchange Reports
- Skype for Business Reports
- Teams Reports
- Group Reports
- Device Reports
- Endpoint Manager Reports
- Security reports
- SharePoint Reports
- Aggregation Reports
- OneDrive Reports
- Yammer Reports
- Report Actions
-
Analyze
- Getting Started with CoreLearning
- Getting Started with CoreScan
- Getting Started with CoreTag
- Getting Started with CoreSaaS
- Learning Platform
-
Playbooks
-
Out-of-the-Box playbooks
- Introduction
- Overview
- Configuring predefined policies
- Edit policy settings: Set and monitor thresholds
- Edit remediation settings: Manual and automatic remediation
- Edit remediation settings: Configure attestation
- Remediation settings: Security & Identity policies
- Remediation settings: Teams Management policies
- Remediation settings: License Management policies
-
Out-of-the-Box playbooks
- Health Check
This article will cover how CoreView uses the administrative credentials provided during the set-up process.
Overview
During the sign-up process, you will be prompted to supply the User Principal Name of an Office 365 account that has been granted the Tenant Admin role in Office 365. This account is used temporarily by CoreView during the initial part of the sign-up process to connect with your Office 365 tenant and to initialize the creation of your CoreView Tenant.
Note: The administrative credentials you provide during the sign-up are not stored or retained by CoreView.
The administrative account used by the CoreView sign-up process does not need to be assigned an Office 365 license and can be a cloud-only account, such as ima_admin@acme.onmicrosoft.com.
During the CoreView tenant creation, the sign-up process will create some Office 365 service accounts and it will assign them the Global Reader and Reports Reader permissions.
The number of service accounts created depends on the size of your Office 365 tenant, however those cannot be used to perform changes in any system.
The service accounts created can be found on your Azure Active Directory tenant with the following naming convention:
If needed, you could assign them a different name than the “Admin Read Only XY” for better recognition when searching. Please do not change their assigned User Principal Name.
Furthermore, during the sign-up process please give consent to the following apps when prompted:
Mandatory Apps
CoreView Portal: this app is created as soon as the first user logs in to the portal. It is required for the user to log in to CoreView web interface.
Azure Active Directory Graph (1)
Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information.
Microsoft Graph (1)Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information.
Microsoft Graph (3)
CoreView Registration App: this is a temporary app used for service account creation and can be removed from tenants immediately after the signup process.Sign in and read user profile – used to perform SSO from Azure AD to CoreView platform
Read and write all users' full profiles – used to create Service Accounts on Azure AD
Read and write all directory RBAC settings – used to assign Global Reader role to our Service Accounts
CoreView API Integration:
Microsoft Graph (33)
Read all access reviews: allows the app to read access reviews on behalf of the signed-in user.
Read all administrative units: allows the app to read administrative units and administrative unit membership without a signed-in user.
Read all applications: allows the app to read applications and service principles on behalf of the signed-in user.
Read all audit log data: allows the app to read and query your audit log activities, without a signed-in user.
Read all call records: Allows the app to read call records for all calls and online meetings without a signed-in user.
Read the names and descriptions of all channels: Read all channel names and channel descriptions, without a signed-in user.
Read the members of all channels: Read the members of all channels, without a signed-in user.
Read Microsoft Intune apps: allows the app to read the properties, group assignments, and status of apps, app configurations, and app protection policies managed by Microsoft Intune, without a signed-in user.
Read Microsoft Intune device configuration and policies: allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
Read Microsoft Intune devices: allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
Read Microsoft Intune RBAC settings: allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
Read Microsoft Intune configuration: allows the app to read Microsoft Intune service properties including device enrollment and third-party service connection configuration, without a signed-in user.
Read directory data: allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user.
View users' email address: allows the app to read your users' primary email addresses.
Read all groups: allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
Read all group memberships: allows the app to read memberships and basic group properties for all groups without a signed-in user.
Read all identity risk event information: allows the app to read the identity risk event information for your organization without a signed in user.
Read all identity risky user information: allows the app to read the identity risky user information for your organization without a signed-in user.
Read all identity user flows: allows the app to read your organization's user flows, without a signed-in user.
Read all user mailbox settings: allows the app to read the user's mailbox settings without a signed-in user. Does not include permission to send mail.
Read all hidden memberships: allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
Read organization information: allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
Read all usage reports: allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
Read all directory RBAC settings: allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles, and memberships.
Read your organization's security actions: allows the app to read security actions, without a signed-in user.
Read your organization’s security events: allows the app to read your organization’s security events without a signed-in user.
Read service health: Allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews.
Read service messages: Allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features.
Get a list of all teams: Get a list of all teams, without a signed-in user.Read the members of all teams: Read the members of all teams, without a signed-in user.
Read all users' teamwork activity feed: allows the app to read all users' teamwork activity feed, without a signed-in user.
Sign in and read user profile: Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.
Read all users' full profiles: allows the app to read user profiles without a signed-in user.
Office 365 Management APIs (3)
Read activity data for your organization: allows the app to read activity data for your organization.
Read DLP policy events including detected sensitive data: allows the app to read DLP policy events, including detected sensitive data, for your organization.
Optional steps
CoreView SharePoint Integration – API permissions: this app is used to retrieve additional details and security information from SharePoint and OneDrive, in particular OneDrive owners.
Azure Active Directory Graph (2)
Sign in and read the user profile
SharePoint (1)
Have full control of all site collections
CoreView Recipient Permissions role on Exchange: This is a custom role with Get-RecipientPermission permission, which is required to retrieve SendAs permission on mailboxes during the import process and it's not included in the Global Reader role. A PowerShell script is provided during the provisioning process and must be executed on your tenant using an Exchange PowerShell session, opened with an Exchange Admin to create a specific ReadOnly CoreView Roles adding this missing cmdlet.
Important Notes
All app and service accounts operations (create, update, delete) are performed system to system without human intervention.
MFA should be enabled on all our service accounts following instructions on our Knowledge Base for the data center chosen for your tenant: How to Configure Allowed IP Addresses for CoreView Service Accounts
Customers can choose to remove a part of the consent, and CoreView will create ad-hoc scripts to meet the required list. Please be aware that this will impact the quantity and quality of data imported.
Additional Notes:
For more information on Microsoft rights please refer to:
Azure Active Directory Graph API: https://docs.microsoft.com/en-us/graph/permissions-reference
Microsoft Graph permissions reference: https://docs.microsoft.com/en-us/graph/permissions-reference
Office 365 Management Activity API: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference
During the signup process, CoreView creates between 2 and 9 read-only accounts (depending on the size of your tenant) and they are exclusively used to gather data from the environment and are not enabled to perform management changes within your environment. The CoreView system users do not require Office 365 licensing and are used only during this import procedure.
They are the members of a CoreView group with Global Reader only permissions on tenants and cannot be used to perform changes on the system.
The CoreView Role has the following assigned roles on Office 365:
Global Reader
CoreView Recipient Permissions (optional)
Data are stored in different locations depending on the Data Center selected during the registration process:
- Canada DC: Canada East - Virginia
- US DC: East US - Virginia
- Europe DC: North Europe - Ireland
- Government DC: US Gov Virginia - Virginia
Please see this article for more details: https://azure.microsoft.com/en-ca/global-infrastructure/geographies/#geographies